<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.4.0">
  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">
  <meta name="google-site-verification" content="d44tDfSSWxm1_XP1dAq65hkgyD6zw70Ua9JdCaJqWGg">

<link rel="stylesheet" href="/css/main.css">


<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"zasdfgbnm.github.io","root":"/","scheme":"Muse","version":"7.8.0","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":false,"show_result":false,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":false,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}}};
  </script>

  <meta name="description" content="版权信息：博主就是本文原创作者，但是本文最早发布于FreeBuf，并属FreeBuf原创奖励计划，如需转载请联系FreeBuf。 故事是这样的，本文作者读书的学校，IT部门要求我们如果使用Windows或者Mac OS要连接学校网络的话，必须安装SafeConnect客户端。这个客户端干的事情就是监视你的系统，确保你安装、启用并及时更新杀毒软件，确保你及时更新电脑上的Flash跟Java，确保你不">
<meta property="og:type" content="article">
<meta property="og:title" content="我与学校SafeConnect软件斗智斗勇的经历">
<meta property="og:url" content="https://zasdfgbnm.github.io/2017/07/01/%E6%88%91%E4%B8%8E%E5%AD%A6%E6%A0%A1SafeConnect%E8%BD%AF%E4%BB%B6%E6%96%97%E6%99%BA%E6%96%97%E5%8B%87%E7%9A%84%E7%BB%8F%E5%8E%86/index.html">
<meta property="og:site_name" content="zasdfgbnm">
<meta property="og:description" content="版权信息：博主就是本文原创作者，但是本文最早发布于FreeBuf，并属FreeBuf原创奖励计划，如需转载请联系FreeBuf。 故事是这样的，本文作者读书的学校，IT部门要求我们如果使用Windows或者Mac OS要连接学校网络的话，必须安装SafeConnect客户端。这个客户端干的事情就是监视你的系统，确保你安装、启用并及时更新杀毒软件，确保你及时更新电脑上的Flash跟Java，确保你不">
<meta property="og:locale" content="en_US">
<meta property="og:image" content="https://zasdfgbnm.github.io/2017/07/01/%E6%88%91%E4%B8%8E%E5%AD%A6%E6%A0%A1SafeConnect%E8%BD%AF%E4%BB%B6%E6%96%97%E6%99%BA%E6%96%97%E5%8B%87%E7%9A%84%E7%BB%8F%E5%8E%86/p2p-blocked.png">
<meta property="og:image" content="https://zasdfgbnm.github.io/2017/07/01/%E6%88%91%E4%B8%8E%E5%AD%A6%E6%A0%A1SafeConnect%E8%BD%AF%E4%BB%B6%E6%96%97%E6%99%BA%E6%96%97%E5%8B%87%E7%9A%84%E7%BB%8F%E5%8E%86/p2p-changeprocname.png">
<meta property="og:image" content="https://zasdfgbnm.github.io/2017/07/01/%E6%88%91%E4%B8%8E%E5%AD%A6%E6%A0%A1SafeConnect%E8%BD%AF%E4%BB%B6%E6%96%97%E6%99%BA%E6%96%97%E5%8B%87%E7%9A%84%E7%BB%8F%E5%8E%86/helloworld-blockedasp2p.png">
<meta property="og:image" content="https://zasdfgbnm.github.io/2017/07/01/%E6%88%91%E4%B8%8E%E5%AD%A6%E6%A0%A1SafeConnect%E8%BD%AF%E4%BB%B6%E6%96%97%E6%99%BA%E6%96%97%E5%8B%87%E7%9A%84%E7%BB%8F%E5%8E%86/inject-success.png">
<meta property="og:image" content="https://zasdfgbnm.github.io/2017/07/01/%E6%88%91%E4%B8%8E%E5%AD%A6%E6%A0%A1SafeConnect%E8%BD%AF%E4%BB%B6%E6%96%97%E6%99%BA%E6%96%97%E5%8B%87%E7%9A%84%E7%BB%8F%E5%8E%86/ua-windows.png">
<meta property="og:image" content="https://zasdfgbnm.github.io/2017/07/01/%E6%88%91%E4%B8%8E%E5%AD%A6%E6%A0%A1SafeConnect%E8%BD%AF%E4%BB%B6%E6%96%97%E6%99%BA%E6%96%97%E5%8B%87%E7%9A%84%E7%BB%8F%E5%8E%86/bettercap.png">
<meta property="og:image" content="https://zasdfgbnm.github.io/2017/07/01/%E6%88%91%E4%B8%8E%E5%AD%A6%E6%A0%A1SafeConnect%E8%BD%AF%E4%BB%B6%E6%96%97%E6%99%BA%E6%96%97%E5%8B%87%E7%9A%84%E7%BB%8F%E5%8E%86/ua-changed.png">
<meta property="article:published_time" content="2017-07-01T16:53:10.000Z">
<meta property="article:modified_time" content="2021-04-04T05:17:59.766Z">
<meta property="article:author" content="zasdfgbnm">
<meta property="article:tag" content="SafeConnect">
<meta property="article:tag" content="P2P">
<meta property="article:tag" content="DLL注入">
<meta property="article:tag" content="中间人攻击">
<meta property="article:tag" content="ARP欺骗">
<meta property="article:tag" content="逆向工程">
<meta property="article:tag" content="Hook">
<meta property="article:tag" content="User-Agent">
<meta property="article:tag" content="bettercap">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://zasdfgbnm.github.io/2017/07/01/%E6%88%91%E4%B8%8E%E5%AD%A6%E6%A0%A1SafeConnect%E8%BD%AF%E4%BB%B6%E6%96%97%E6%99%BA%E6%96%97%E5%8B%87%E7%9A%84%E7%BB%8F%E5%8E%86/p2p-blocked.png">

<link rel="canonical" href="https://zasdfgbnm.github.io/2017/07/01/%E6%88%91%E4%B8%8E%E5%AD%A6%E6%A0%A1SafeConnect%E8%BD%AF%E4%BB%B6%E6%96%97%E6%99%BA%E6%96%97%E5%8B%87%E7%9A%84%E7%BB%8F%E5%8E%86/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'en'
  };
</script>

  <title>我与学校SafeConnect软件斗智斗勇的经历 | zasdfgbnm</title>
  
    <script async src="https://www.googletagmanager.com/gtag/js?id=UA-7583294-5"></script>
    <script>
      if (CONFIG.hostname === location.hostname) {
        window.dataLayer = window.dataLayer || [];
        function gtag(){dataLayer.push(arguments);}
        gtag('js', new Date());
        gtag('config', 'UA-7583294-5');
      }
    </script>


  <script>
    var _hmt = _hmt || [];
    (function() {
      var hm = document.createElement("script");
      hm.src = "https://hm.baidu.com/hm.js?a56abdeb557a286a6b7a104348fdfbcd";
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(hm, s);
    })();
  </script>




  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

<link rel="alternate" href="/atom.xml" title="zasdfgbnm" type="application/atom+xml">
</head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="Toggle navigation bar">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">zasdfgbnm</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-home fa-fw"></i>Home</a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>Archives</a>

  </li>
        <li class="menu-item menu-item-about">

    <a href="/about/" rel="section"><i class="fa fa-user fa-fw"></i>About</a>

  </li>
        <li class="menu-item menu-item-tags">

    <a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>Tags</a>

  </li>
        <li class="menu-item menu-item-categories">

    <a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>Categories</a>

  </li>
        <li class="menu-item menu-item-sitemap">

    <a href="/sitemap.xml" rel="section"><i class="fa fa-sitemap fa-fw"></i>Sitemap</a>

  </li>
  </ul>
</nav>




</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content post posts-expand">
            

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="en">
    <link itemprop="mainEntityOfPage" href="https://zasdfgbnm.github.io/2017/07/01/%E6%88%91%E4%B8%8E%E5%AD%A6%E6%A0%A1SafeConnect%E8%BD%AF%E4%BB%B6%E6%96%97%E6%99%BA%E6%96%97%E5%8B%87%E7%9A%84%E7%BB%8F%E5%8E%86/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="zasdfgbnm">
      <meta itemprop="description" content="">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="zasdfgbnm">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          我与学校SafeConnect软件斗智斗勇的经历
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">Posted on</span>

              <time title="Created: 2017-07-01 12:53:10" itemprop="dateCreated datePublished" datetime="2017-07-01T12:53:10-04:00">2017-07-01</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">Edited on</span>
                <time title="Modified: 2021-04-04 01:17:59" itemprop="dateModified" datetime="2021-04-04T01:17:59-04:00">2021-04-04</time>
              </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">In</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E4%BF%A1%E6%81%AF%E5%AE%89%E5%85%A8/" itemprop="url" rel="index"><span itemprop="name">信息安全</span></a>
                </span>
            </span>

          
  
  <span class="post-meta-item">
    
      <span class="post-meta-item-icon">
        <i class="far fa-comment"></i>
      </span>
      <span class="post-meta-item-text">Disqus: </span>
    
    <a title="disqus" href="/2017/07/01/%E6%88%91%E4%B8%8E%E5%AD%A6%E6%A0%A1SafeConnect%E8%BD%AF%E4%BB%B6%E6%96%97%E6%99%BA%E6%96%97%E5%8B%87%E7%9A%84%E7%BB%8F%E5%8E%86/#disqus_thread" itemprop="discussionUrl">
      <span class="post-comments-count disqus-comment-count" data-disqus-identifier="2017/07/01/我与学校SafeConnect软件斗智斗勇的经历/" itemprop="commentCount"></span>
    </a>
  </span>
  
  

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <p><strong>版权信息：博主就是本文原创作者，但是本文最早发布于<a target="_blank" rel="noopener" href="http://www.freebuf.com/news/topnews/125994.html">FreeBuf</a>，并属FreeBuf原创奖励计划，如需转载请联系FreeBuf。</strong></p>
<p>故事是这样的，本文作者读书的学校，IT部门要求我们如果使用Windows或者Mac OS要连接学校网络的话，必须安装SafeConnect客户端。这个客户端干的事情就是监视你的系统，确保你安装、启用并及时更新杀毒软件，确保你及时更新电脑上的Flash跟Java，确保你不使用P2P软件。然而我一直很不喜欢这种被监视的感觉，感觉这是侵犯了我的人权，况且我很少用P2P来下载盗版内容，偶尔用P2P一直都是用来下载Linux的安装镜像的，这种宁可错杀一千也不放过一个的做法实在是让人难以忍受。再加上学校的IT部门的人非常官僚，自己还没啥技术，曾经有同学找他们备份数据结果数据没备份成他们反而把分区表给搞坏了，这就让我坚定了跟他们斗争到底的想法，刚好也可以打发业余时光。由于SafeConnect客户端不支持Linux系统，同时学校中Linux用户的数量相当多，所以Linux系统不需要安装任何客户端，直接就能访问网络，这是一个关键性的切入点。</p>
<span id="more"></span>

<p>要同SafeConnect斗争，有两个切入点，一个是从SafeConnect客户端做手脚，想办法让SafeConnect客户端丧失相应的监测功能，只是傻傻地给他们的服务器汇报一切符合要求，另一个则是从SafeConnect网关的操作系统检测入手，只要能让网关认为我们用的是Linux系统，我们就可以上网了，这样连SafeConnect客户端都不用装了。</p>
<p>第一个切入点需要对SafeConnect进行逆向工程，搞清楚SafeConnect这些项目的检测机制。逆向工程向来都是费时费力，成本巨大，而且不可以跨平台。不过幸运的是，SafeConnect检测P2P软件的方式经过简单测试作者就发现了端倪：</p>
<img src="/2017/07/01/%E6%88%91%E4%B8%8E%E5%AD%A6%E6%A0%A1SafeConnect%E8%BD%AF%E4%BB%B6%E6%96%97%E6%99%BA%E6%96%97%E5%8B%87%E7%9A%84%E7%BB%8F%E5%8E%86/p2p-blocked.png" class="" title="打开P2P软件，网络被断，遭到警告">
<img src="/2017/07/01/%E6%88%91%E4%B8%8E%E5%AD%A6%E6%A0%A1SafeConnect%E8%BD%AF%E4%BB%B6%E6%96%97%E6%99%BA%E6%96%97%E5%8B%87%E7%9A%84%E7%BB%8F%E5%8E%86/p2p-changeprocname.png" class="" title="把P2P软件的进程名改掉，正常使用未被发现">
<img src="/2017/07/01/%E6%88%91%E4%B8%8E%E5%AD%A6%E6%A0%A1SafeConnect%E8%BD%AF%E4%BB%B6%E6%96%97%E6%99%BA%E6%96%97%E5%8B%87%E7%9A%84%E7%BB%8F%E5%8E%86/helloworld-blockedasp2p.png" class="" title="自己写一个Hello World程序并命名为为BitTorrent.exe并打开，网络被断，遭到警告">

<p>从上面的测试不难看出，SafeConnect通过列举系统的进程，如果发现黑名单中的进程名，就给你断开网络链接，然后弹出网页警告你说我们检测到你在使用P2P软件，这违反了学校的规定。明白了原理，就可以开干了。既然SafeConnect列举系统进程，那我们就使用进程隐藏技术把P2P软件的进程隐藏起来。</p>
<p>Windows系统有很多API可以访问系统的进程信息，但是所有这些API在底层最终都会调用<code>NtQuerySystemInformation</code>来获取系统进程信息。这个系统调用总共有四个参数，其中第一个参数<code>SystemInformationClass</code>表示的是你要查询的系统信息的类型，对于列举系统进程而言，这个参数的值应为<code>SystemProcessInformation</code>。第二个参数<code>SystemInformation</code>存储着获得的系统信息，对于列举进程而言，这个参数存储着一个链表，链表的每一项都是一个进程，而要隐藏进程，我们只需要从链表中删除相应的项即可。要篡改系统调用的结果，需要用到DLL注入技术将DLL注入到目标进程的地址空间，然后篡改地址空间中<code>NtQuerySystemInformation</code>函数的的代码加入跳转语句跳转到我们伪造的<code>NtQuerySystemInformation</code>去，这就是DLL注入的整个运行过程。整个DLL注入的过程不需要亲自动手，有现成的<a target="_blank" rel="noopener" href="http://easyhook.github.io/">EasyHook库</a>可以实现。</p>
<p>不多说，贴代码：</p>
<figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;easyhook.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;string&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;tchar.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;iostream&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;windows.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;shlwapi.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;winternl.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;ntstatus.h&gt;</span></span></span><br><span class="line"></span><br><span class="line"><span class="meta">#<span class="meta-keyword">pragma</span> comment(lib, <span class="meta-string">&quot;EasyHook32.lib&quot;</span>)</span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">pragma</span> comment(lib, <span class="meta-string">&quot;ntdll.lib&quot;</span> )</span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">define</span> HIDE_PROCESS_NAME TEXT(<span class="meta-string">&quot;BitTorrent.exe&quot;</span>)</span></span><br><span class="line"></span><br><span class="line"><span class="function">BOOL APIENTRY <span class="title">DllMain</span><span class="params">(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)</span> </span>&#123;</span><br><span class="line">    <span class="keyword">return</span> TRUE;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>我们要Hook的函数位于ntdll.dll，所以在代码中要引用一下ntdll.lib。我们要写的dll的entry不需要做任何事情。接下来就是我们的自定义<code>NtQuerySystemInformation</code>了，在这里我把它命名为<code>myNtQuerySystemInformation</code>：</p>
<figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line"><span class="function">NTSTATUS WINAPI <span class="title">myNtQuerySystemInformation</span><span class="params">(SYSTEM_INFORMATION_CLASS SystemInformationClass,</span></span></span><br><span class="line"><span class="function"><span class="params">                                           PVOID SystemInformation, ULONG SystemInformationLength,</span></span></span><br><span class="line"><span class="function"><span class="params">                                           PULONG ReturnLength)</span> </span>&#123;</span><br><span class="line">    NTSTATUS status = <span class="built_in">NtQuerySystemInformation</span>(SystemInformationClass, SystemInformation,</span><br><span class="line">                                               SystemInformationLength, ReturnLength);</span><br><span class="line">    <span class="keyword">if</span> (status != STATUS_SUCCESS)</span><br><span class="line">        <span class="keyword">return</span> status;</span><br><span class="line">    <span class="keyword">if</span> (SystemInformationClass == SystemProcessInformation) &#123;</span><br><span class="line">        PSYSTEM_PROCESS_INFORMATION pcur = <span class="literal">NULL</span>, pprev = <span class="literal">NULL</span>;</span><br><span class="line">        pcur = (PSYSTEM_PROCESS_INFORMATION)SystemInformation;</span><br><span class="line">        <span class="keyword">while</span> (<span class="number">1</span>) &#123;</span><br><span class="line">            <span class="keyword">if</span> (pcur-&gt;Reserved2[<span class="number">1</span>] != <span class="literal">NULL</span>) &#123;</span><br><span class="line">                <span class="keyword">if</span> (_tcscmp((LPTSTR)(pcur-&gt;Reserved2[<span class="number">1</span>]), HIDE_PROCESS_NAME) == <span class="number">0</span>) &#123;</span><br><span class="line">                    <span class="comment">// delete element from linked list</span></span><br><span class="line">                    <span class="keyword">if</span> (pcur-&gt;NextEntryOffset == <span class="number">0</span> &amp;&amp; pprev != <span class="literal">NULL</span>)</span><br><span class="line">                        pprev-&gt;NextEntryOffset = <span class="number">0</span>;</span><br><span class="line">                    <span class="keyword">else</span> <span class="keyword">if</span> (pprev != <span class="literal">NULL</span>)</span><br><span class="line">                        pprev-&gt;NextEntryOffset += pcur-&gt;NextEntryOffset;</span><br><span class="line">                &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">                    pprev = pcur;</span><br><span class="line">                &#125;</span><br><span class="line">            &#125;</span><br><span class="line">            <span class="keyword">if</span> (pcur-&gt;NextEntryOffset == <span class="number">0</span>)</span><br><span class="line">                <span class="keyword">break</span>;</span><br><span class="line">            pcur = (PSYSTEM_PROCESS_INFORMATION)((ULONG)pcur + pcur-&gt;NextEntryOffset);</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">return</span> status;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>正如刚刚介绍的那样，这个函数做的事情就是把要隐藏的进程从链表删掉。同时，EasyHook还要求我们在dll中定义安装函数，这个不复杂，直接从官方教程粘贴代码简单改改就好：</p>
<figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">extern</span> <span class="string">&quot;C&quot;</span> <span class="keyword">void</span> __declspec(dllexport) <span class="function">__stdcall <span class="title">NativeInjectionEntryPoint</span><span class="params">(REMOTE_ENTRY_INFO* inRemoteInfo)</span></span>;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">void</span> __stdcall <span class="title">NativeInjectionEntryPoint</span><span class="params">(REMOTE_ENTRY_INFO* inRemoteInfo)</span> </span>&#123;</span><br><span class="line">    HOOK_TRACE_INFO hHook = &#123; <span class="literal">NULL</span> &#125;;</span><br><span class="line">    HMODULE ntdll = <span class="built_in">GetModuleHandle</span>(<span class="built_in">TEXT</span>(<span class="string">&quot;ntdll&quot;</span>));</span><br><span class="line">    NTSTATUS result = <span class="built_in">LhInstallHook</span>(<span class="built_in">GetProcAddress</span>(ntdll, <span class="string">&quot;NtQuerySystemInformation&quot;</span>),</span><br><span class="line">                                    myNtQuerySystemInformation,<span class="literal">NULL</span>,&amp;hHook);</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (<span class="built_in">FAILED</span>(result))</span><br><span class="line">        std::wcout &lt;&lt; <span class="built_in">RtlGetLastErrorString</span>() &lt;&lt; std::endl;</span><br><span class="line">    <span class="keyword">else</span></span><br><span class="line">        std::wcout &lt;&lt; <span class="string">&quot;NtQuerySystemInformation hook success!&quot;</span> &lt;&lt; std::endl;</span><br><span class="line"></span><br><span class="line">    <span class="comment">// If the threadId in the ACL is set to 0,</span></span><br><span class="line">    <span class="comment">// then internally EasyHook uses GetCurrentThreadId()</span></span><br><span class="line">    ULONG ACLEntries[<span class="number">1</span>] = &#123; <span class="number">0</span> &#125;;</span><br><span class="line"></span><br><span class="line">    <span class="comment">// Disable the hook for the provided threadIds, enable for all others</span></span><br><span class="line">    <span class="built_in">LhSetExclusiveACL</span>(ACLEntries, <span class="number">1</span>, &amp;hHook);</span><br><span class="line">    <span class="keyword">return</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>写好了DLL，下一步就是找到目标进程注入进去了。仔细研究一下那个SafeConnect，可以发现他总共有两部分：一个scManager.sys系统服务，以及一个SafeConnectClient.exe进程，实测发现把DLL注入到SafeConnectClient.exe不管用，于是断定负责检索系统进程列表的是scManager.sys。</p>
<p>下图是用来将我们写的DLL注入到scManager.sys的代码，这里代码做的事情是查找名为scManager.sys的进程，读取进程的PID，然后调用EasyHook的API将我们写的DLL注入到对应的进程中。</p>
<figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;iostream&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;string&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;tchar.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;cstring&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;easyhook.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;psapi.h&gt;</span></span></span><br><span class="line"></span><br><span class="line"><span class="meta">#<span class="meta-keyword">pragma</span> comment(lib, <span class="meta-string">&quot;EasyHook32.lib&quot;</span>)</span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">pragma</span> comment(lib, <span class="meta-string">&quot;psapi.lib&quot;</span> )</span></span><br><span class="line"><span class="keyword">using</span> <span class="keyword">namespace</span> std;</span><br><span class="line"></span><br><span class="line"><span class="meta">#<span class="meta-keyword">define</span> NUM_PROC 1</span></span><br><span class="line">TCHAR * targets[NUM_PROC] = &#123;</span><br><span class="line">    <span class="built_in">TEXT</span>(<span class="string">&quot;scManager.sys&quot;</span>)</span><br><span class="line">&#125;;</span><br><span class="line"></span><br><span class="line"><span class="function">DWORD <span class="title">getTargetProcessID</span><span class="params">(TCHAR *target)</span> </span>&#123;</span><br><span class="line">    DWORD aProcesses[<span class="number">1024</span>], cbNeeded, cProcesses;</span><br><span class="line">    <span class="keyword">if</span>(!<span class="built_in">EnumProcesses</span>(aProcesses, <span class="built_in"><span class="keyword">sizeof</span></span>(aProcesses), &amp;cbNeeded))</span><br><span class="line">        <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">    cProcesses = cbNeeded / <span class="built_in"><span class="keyword">sizeof</span></span>(DWORD);</span><br><span class="line">    <span class="keyword">for</span> (DWORD i = <span class="number">0</span>; i &lt; cProcesses; i++) &#123;</span><br><span class="line">        <span class="keyword">if</span> (aProcesses[i] != <span class="number">0</span>)&#123;</span><br><span class="line">            TCHAR szProcessName[MAX_PATH] = <span class="built_in">TEXT</span>(<span class="string">&quot;&lt;unknown&gt;&quot;</span>);</span><br><span class="line">            HANDLE hProcess = <span class="built_in">OpenProcess</span>(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,</span><br><span class="line">                                          FALSE, aProcesses[i]);</span><br><span class="line">            <span class="keyword">if</span> (<span class="literal">NULL</span> != hProcess) &#123;</span><br><span class="line">                HMODULE hMod;</span><br><span class="line">                DWORD cbNeeded;</span><br><span class="line">                <span class="keyword">if</span> (<span class="built_in">EnumProcessModules</span>(hProcess, &amp;hMod, <span class="built_in"><span class="keyword">sizeof</span></span>(hMod),&amp;cbNeeded))</span><br><span class="line">                    <span class="built_in">GetModuleBaseName</span>(hProcess, hMod, szProcessName,<span class="built_in"><span class="keyword">sizeof</span></span>(szProcessName)/<span class="built_in"><span class="keyword">sizeof</span></span>(TCHAR));</span><br><span class="line">                <span class="built_in">CloseHandle</span>(hProcess);</span><br><span class="line">            &#125;</span><br><span class="line">            <span class="keyword">if</span> (_tcscmp(target, szProcessName) == <span class="number">0</span>)</span><br><span class="line">                <span class="keyword">return</span> aProcesses[i];</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span> </span>&#123;</span><br><span class="line">    <span class="keyword">for</span> (<span class="keyword">int</span> i = <span class="number">0</span>; i &lt; NUM_PROC; i++) &#123;</span><br><span class="line">        DWORD processId = <span class="built_in">getTargetProcessID</span>(targets[i]);</span><br><span class="line">        HMODULE ntdll = <span class="built_in">GetModuleHandle</span>(<span class="built_in">TEXT</span>(<span class="string">&quot;ntdll&quot;</span>));</span><br><span class="line">        std::wcout &lt;&lt; <span class="string">&quot;target func in injector has address &quot;</span></span><br><span class="line">                   &lt;&lt; <span class="built_in">GetProcAddress</span>(ntdll, <span class="string">&quot;NtQuerySystemInformation&quot;</span>) &lt;&lt; std::endl;</span><br><span class="line">        <span class="keyword">if</span> (processId == <span class="number">0</span>) &#123;</span><br><span class="line">            std::wcout &lt;&lt; <span class="string">&quot;Unable to find the process ID for &quot;</span></span><br><span class="line">                       &lt;&lt; targets[i] &lt;&lt; <span class="string">&quot;, please manually input: &quot;</span>;</span><br><span class="line">            std::cin &gt;&gt; processId;</span><br><span class="line">            std::wstring input;</span><br><span class="line">            std::<span class="built_in">getline</span>(std::wcin, input);</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">if</span> (processId!=<span class="number">0</span>) &#123;</span><br><span class="line">            NTSTATUS nt = <span class="built_in">RhInjectLibrary</span>(processId, <span class="number">0</span>, EASYHOOK_INJECT_DEFAULT,</span><br><span class="line">                                          <span class="string">L&quot;fuck_safeconnect.dll&quot;</span>, <span class="literal">NULL</span>, <span class="literal">NULL</span>, <span class="number">0</span>);</span><br><span class="line">            <span class="keyword">if</span> (nt != <span class="number">0</span>) &#123;</span><br><span class="line">                <span class="built_in">printf</span>(<span class="string">&quot;RhInjectLibrary failed with error code = %d\n&quot;</span>, nt);</span><br><span class="line">                PWCHAR err = <span class="built_in">RtlGetLastErrorString</span>();</span><br><span class="line">                std::wcout &lt;&lt; err &lt;&lt; <span class="string">&quot;\n&quot;</span>;</span><br><span class="line">            &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">                std::wcout &lt;&lt; <span class="string">&quot;inject success!\n&quot;</span>;</span><br><span class="line">            &#125;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    std::wcout &lt;&lt; <span class="string">&quot;Press Enter to exit&quot;</span>;</span><br><span class="line">    std::wstring input;</span><br><span class="line">    std::<span class="built_in">getline</span>(std::wcin, input);</span><br><span class="line">    <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>由于scManager.sys是个系统服务，单纯的“以管理员身份运行”是无法成功注入的，这时候就需要把注入器提权到SYSTEM用户来进行注入。提权到SYSTEM的操作可以用微软提供的<a target="_blank" rel="noopener" href="https://technet.microsoft.com/en-us/sysinternals/pxexec.aspx">PsExec</a>工具来进行。PsExec是个命令行工具，使用PsExec非常简单，只需要<code>psexec –i –s 程序名</code>即可。</p>
<img src="/2017/07/01/%E6%88%91%E4%B8%8E%E5%AD%A6%E6%A0%A1SafeConnect%E8%BD%AF%E4%BB%B6%E6%96%97%E6%99%BA%E6%96%97%E5%8B%87%E7%9A%84%E7%BB%8F%E5%8E%86/inject-success.png" class="" title="注入成功，这时候再打开BitTorrent就不被断网了">

<p>由于逆向工程太过费时费力，笔者并没有在SafeConnect客户端上多费心思，而是转向了第二种方法：欺骗SafeConnect的服务器端的操作系统检测功能。要检测连进来的设备的操作系统，一种常用的方法是TCP Fingerprinting，此外，还可以运用深度包检测技术读取设备发送的数据包的内容，推测设备的类型。只需要针对这几项进行伪装，然后观察SafeConnect的行为就可以推测SafeConnect检测用户操作系统的方式。</p>
<p>经过一番实验，推测SafeConnect服务器的工作原理如下：客户端新设备连进网络的时候，他们是直接不给你互联网接入的。但是他们会监测你的的外出http流量，从http流量中读取User-Agent中的操作系统信息。</p>
<p>如果发现是他们SafeConnect客户端不支持的系统，比如Linux，iOS，android之类，就把你这个IP地址限制放开。如果是客户端支持的系统，比如Windows，Mac OS，并且你的SafeConnect已经安装了，那么SafeConnect会跟他们服务器通讯把你放开，如果你还没安装SafeConnect，那么就把你跳转到相关页面让你装SafeConnect。</p>
<p>明白了这一点，解决方法自然就来了：给浏览器安装可以更改User-Agent的插件，把User-Agent里面的操作系统信息改成Linux即可，这样在访问网络的时候，SafeConnect的服务器就会误以为你是Linux系统了。通过给浏览器更改User-Agent，几乎可以完美躲过SafeConnect的法眼，然而美中不足的是如果用多个浏览器，还需要挨个安装插件更改User-Agent，同时有的网站会检测浏览器的版本，如果发现浏览器版本过就会提示不支持需要更新，这样就需要不断地根据浏览器更新手工更改插件里的User-Agent的值。还有一点麻烦的地方是，新设备接入的时候还需要设置新的设备。对我来说有没有设置一个新设备自然很简单，但是经常有时候有客人来，用Windows设备没装SafeConnect就上网导致我家整个路由器被封。有没有简单快捷的方法自动让所有连接到路由器的设备都不受SafeConnect的影响呢？这时候就想到了bettercap。</p>
<p>Bettercap是一个模块化的开源的中间人攻击框架。使用bettercap只需要几行代码就可以实现劫持整个局域网的流量并把其中的HTTP流量的User-Agent改掉。这样的话，只要家里有客人来，我们就可以打开bettercap，自动把客人的User-Agent改掉，防止客人上网导致家里整个路由器都被断。在局域网中实现中间人攻击的一种常见方法是ARP欺骗。ARP欺骗攻击发起方通过不断向受害者发送伪造的ARP数据包，让受害者误以为自己是网关，这样受害者本来想送到网关的数据包就会错误地送给攻击方，攻击方进而可以篡改数据然后送给真正的网关。要使用bettercap实现User-Agent的伪造，首先需要写一个bettercap的代理模块。Bettercap的代理模块写起来非常简单， <a target="_blank" rel="noopener" href="https://github.com/evilsocket/bettercap-proxy-modules">这里有很多示例模块</a>，文档在<a target="_blank" rel="noopener" href="https://www.bettercap.org/docs/proxying/http.html">这里</a>。我写的模块代码如下:</p>
<figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Osfuscate</span> &lt; BetterCap::Proxy::<span class="title">HTTP::Module</span></span></span><br><span class="line">    meta(</span><br><span class="line">        <span class="string">&#x27;Name&#x27;</span>        =&gt; <span class="string">&#x27;Osfuscate&#x27;</span>,</span><br><span class="line">        <span class="string">&#x27;Description&#x27;</span> =&gt; <span class="string">&#x27;Change the operating system in User-Agent string to Linux.&#x27;</span>,</span><br><span class="line">        <span class="string">&#x27;Version&#x27;</span>     =&gt; <span class="string">&#x27;1.0.0&#x27;</span>,</span><br><span class="line">        <span class="string">&#x27;Author&#x27;</span>      =&gt; <span class="string">&quot;zasdfgbnm&quot;</span>,</span><br><span class="line">        <span class="string">&#x27;License&#x27;</span>     =&gt; <span class="string">&#x27;GPL3&#x27;</span></span><br><span class="line">    )</span><br><span class="line"></span><br><span class="line">    <span class="function"><span class="keyword">def</span> <span class="title">on_pre_request</span><span class="params">( request )</span></span></span><br><span class="line">        request[<span class="string">&#x27;User-Agent&#x27;</span>].gsub!( <span class="regexp">/\(Windows.*?\)/</span>, <span class="string">&#x27;(X11; Linux x86_64)&#x27;</span> )</span><br><span class="line">        request[<span class="string">&#x27;User-Agent&#x27;</span>].gsub!( <span class="regexp">/\(Macintosh.*?\)/</span>, <span class="string">&#x27;(X11; Linux x86_64)&#x27;</span> )</span><br><span class="line">        <span class="comment"># return nil to tell the streamer that this module didn&#x27;t do the request</span></span><br><span class="line">        <span class="comment"># and therefore the request should be done by the streamer.</span></span><br><span class="line">        <span class="keyword">return</span> <span class="literal">nil</span></span><br><span class="line">    <span class="keyword">end</span></span><br><span class="line"><span class="keyword">end</span></span><br></pre></td></tr></table></figure>

<p>其中<code>on_pre_request</code>函数在请求发生前会被调用，我们只需要在这里把请求中User-Agent的信息中的操作系统给替换成Linux就行了。这里需要注意的是，在函数的结尾需要返回<code>nil</code>，用来告诉bettercap请求还没有被执行，这样bettercap才会去执行请求。</p>
<p>有了这个代理模块，要想部署，只需要执行<code>bettercap–proxy-module 模块文件名</code>命令就可以了，不需要手动配置iptables这些东西, 非常简单快捷。上图：</p>
<img src="/2017/07/01/%E6%88%91%E4%B8%8E%E5%AD%A6%E6%A0%A1SafeConnect%E8%BD%AF%E4%BB%B6%E6%96%97%E6%99%BA%E6%96%97%E5%8B%87%E7%9A%84%E7%BB%8F%E5%8E%86/ua-windows.png" class="" title="这是局域网内的一台Windows机器User-Agent中的操作系统信息">
<img src="/2017/07/01/%E6%88%91%E4%B8%8E%E5%AD%A6%E6%A0%A1SafeConnect%E8%BD%AF%E4%BB%B6%E6%96%97%E6%99%BA%E6%96%97%E5%8B%87%E7%9A%84%E7%BB%8F%E5%8E%86/bettercap.png" class="" title="这是bettercap软件的运行界面">
<img src="/2017/07/01/%E6%88%91%E4%B8%8E%E5%AD%A6%E6%A0%A1SafeConnect%E8%BD%AF%E4%BB%B6%E6%96%97%E6%99%BA%E6%96%97%E5%8B%87%E7%9A%84%E7%BB%8F%E5%8E%86/ua-changed.png" class="" title="这是bettercap运行时局域网内这台Windows机器的User-Agent中的操作系统信息">

<p>从图中可见User-Agent信息已经被成功修改掉了，大功告成。</p>
<p>最后说再来一句，这个工作其实稳定的解决方法是直接在路由器跟网口中间加一个电脑用来做网关来负责User-Agent的修改，这样网络会比ARP欺骗的解决方案要稳定好多。这里之所以选择ARP欺骗的方案主要是因为简单快速不需要拔网线不需要设置网关。另外，如果你已经有一台已经设置好了的网关服务器，bettercap同样可以用来完成我们想要的任务，只需要在网关服务器上执行如下命令</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">bettercap --no-spoofing --no-discovery --proxy-module 模块名</span><br></pre></td></tr></table></figure>

<p>程序执行的界面类似，这里就不截图了。</p>

    </div>

    
    
    
        

  <div class="followme">
    <p>Welcome to my other publishing channels</p>

    <div class="social-list">

        <div class="social-item">
          <a target="_blank" class="social-link" href="https://twitter.com/gaoxiang_ai">
            <span class="icon">
              <i class="fab fa-twitter"></i>
            </span>

            <span class="label">Twitter</span>
          </a>
        </div>

        <div class="social-item">
          <a target="_blank" class="social-link" href="/atom.xml">
            <span class="icon">
              <i class="fa fa-rss"></i>
            </span>

            <span class="label">RSS</span>
          </a>
        </div>
    </div>
  </div>


      <footer class="post-footer">
          <div class="post-tags">
              <a href="/tags/SafeConnect/" rel="tag"># SafeConnect</a>
              <a href="/tags/P2P/" rel="tag"># P2P</a>
              <a href="/tags/DLL%E6%B3%A8%E5%85%A5/" rel="tag"># DLL注入</a>
              <a href="/tags/%E4%B8%AD%E9%97%B4%E4%BA%BA%E6%94%BB%E5%87%BB/" rel="tag"># 中间人攻击</a>
              <a href="/tags/ARP%E6%AC%BA%E9%AA%97/" rel="tag"># ARP欺骗</a>
              <a href="/tags/%E9%80%86%E5%90%91%E5%B7%A5%E7%A8%8B/" rel="tag"># 逆向工程</a>
              <a href="/tags/Hook/" rel="tag"># Hook</a>
              <a href="/tags/User-Agent/" rel="tag"># User-Agent</a>
              <a href="/tags/bettercap/" rel="tag"># bettercap</a>
          </div>

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/2017/06/29/%E8%83%BD%E5%BD%93%E4%B8%BB%E5%8A%9B%EF%BC%8C%E8%83%BD%E5%85%A5%E8%99%9A%E6%8B%9F%E6%9C%BA%EF%BC%8C%E8%BF%98%E8%83%BD%E9%9A%8F%E6%97%B6%E6%89%93%E5%8C%85%E5%B8%A6%E8%B5%B0%EF%BC%8CLinux%E5%B0%B1%E6%98%AF%E8%BF%99%E4%B9%88%E5%BC%BA%E5%A4%A7/" rel="prev" title="能当主力，能入虚拟机，还能随时打包带走，Linux就是这么强大">
      <i class="fa fa-chevron-left"></i> 能当主力，能入虚拟机，还能随时打包带走，Linux就是这么强大
    </a></div>
      <div class="post-nav-item">
    <a href="/2017/07/06/Rademacher%E5%A4%8D%E6%9D%82%E5%BA%A6%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/" rel="next" title="Rademacher复杂度学习笔记">
      Rademacher复杂度学习笔记 <i class="fa fa-chevron-right"></i>
    </a></div>
    </div>
      </footer>
    
  </article>
  
  
  



          </div>
          
    
  <div class="comments">
    <div id="disqus_thread">
      <noscript>Please enable JavaScript to view the comments powered by Disqus.</noscript>
    </div>
  </div>
  

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          Table of Contents
        </li>
        <li class="sidebar-nav-overview">
          Overview
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
  <p class="site-author-name" itemprop="name">zasdfgbnm</p>
  <div class="site-description" itemprop="description"></div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives/">
        
          <span class="site-state-item-count">11</span>
          <span class="site-state-item-name">posts</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
            <a href="/categories/">
          
        <span class="site-state-item-count">5</span>
        <span class="site-state-item-name">categories</span></a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/tags/">
          
        <span class="site-state-item-count">56</span>
        <span class="site-state-item-name">tags</span></a>
      </div>
  </nav>
</div>
  <div class="links-of-author motion-element">
      <span class="links-of-author-item">
        <a href="https://github.com/zasdfgbnm" title="GitHub → https:&#x2F;&#x2F;github.com&#x2F;zasdfgbnm" rel="noopener" target="_blank"><i class="fab fa-github fa-fw"></i>GitHub</a>
      </span>
      <span class="links-of-author-item">
        <a href="https://twitter.com/gaoxiang_ai" title="Twitter → https:&#x2F;&#x2F;twitter.com&#x2F;gaoxiang_ai" rel="noopener" target="_blank"><i class="fab fa-twitter fa-fw"></i>Twitter</a>
      </span>
  </div>



      </div>

    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        

<div class="copyright">
  
  &copy; 
  <span itemprop="copyrightYear">2021</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">zasdfgbnm</span>
</div>
  <div class="powered-by">Powered by <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://muse.theme-next.org/" class="theme-link" rel="noopener" target="_blank">NexT.Muse</a>
  </div>

        








      </div>
    </footer>
  </div>

  
  <script src="/lib/anime.min.js"></script>
  <script src="/lib/velocity/velocity.min.js"></script>
  <script src="/lib/velocity/velocity.ui.min.js"></script>

<script src="/js/utils.js"></script>

<script src="/js/motion.js"></script>


<script src="/js/schemes/muse.js"></script>


<script src="/js/next-boot.js"></script>




  
  <script>
    (function(){
      var canonicalURL, curProtocol;
      //Get the <link> tag
      var x=document.getElementsByTagName("link");
		//Find the last canonical URL
		if(x.length > 0){
			for (i=0;i<x.length;i++){
				if(x[i].rel.toLowerCase() == 'canonical' && x[i].href){
					canonicalURL=x[i].href;
				}
			}
		}
    //Get protocol
	    if (!canonicalURL){
	    	curProtocol = window.location.protocol.split(':')[0];
	    }
	    else{
	    	curProtocol = canonicalURL.split(':')[0];
	    }
      //Get current URL if the canonical URL does not exist
	    if (!canonicalURL) canonicalURL = window.location.href;
	    //Assign script content. Replace current URL with the canonical URL
      !function(){var e=/([http|https]:\/\/[a-zA-Z0-9\_\.]+\.baidu\.com)/gi,r=canonicalURL,t=document.referrer;if(!e.test(r)){var n=(String(curProtocol).toLowerCase() === 'https')?"https://sp0.baidu.com/9_Q4simg2RQJ8t7jm9iCKT-xh_/s.gif":"//api.share.baidu.com/s.gif";t?(n+="?r="+encodeURIComponent(document.referrer),r&&(n+="&l="+r)):r&&(n+="?l="+r);var i=new Image;i.src=n}}(window);})();
  </script>















  

  

  

<script>
  function loadCount() {
    var d = document, s = d.createElement('script');
    s.src = 'https://zasdfgbnm-github-io.disqus.com/count.js';
    s.id = 'dsq-count-scr';
    (d.head || d.body).appendChild(s);
  }
  // defer loading until the whole page loading is completed
  window.addEventListener('load', loadCount, false);
</script>
<script>
  var disqus_config = function() {
    this.page.url = "https://zasdfgbnm.github.io/2017/07/01/%E6%88%91%E4%B8%8E%E5%AD%A6%E6%A0%A1SafeConnect%E8%BD%AF%E4%BB%B6%E6%96%97%E6%99%BA%E6%96%97%E5%8B%87%E7%9A%84%E7%BB%8F%E5%8E%86/";
    this.page.identifier = "2017/07/01/我与学校SafeConnect软件斗智斗勇的经历/";
    this.page.title = "我与学校SafeConnect软件斗智斗勇的经历";
    };
  NexT.utils.loadComments(document.querySelector('#disqus_thread'), () => {
    if (window.DISQUS) {
      DISQUS.reset({
        reload: true,
        config: disqus_config
      });
    } else {
      var d = document, s = d.createElement('script');
      s.src = 'https://zasdfgbnm-github-io.disqus.com/embed.js';
      s.setAttribute('data-timestamp', '' + +new Date());
      (d.head || d.body).appendChild(s);
    }
  });
</script>

</body>
</html>
